Visa and MC seem to be issuing new chip cards. I understand the value of the new cards but am curious how my prior info with the issuer is erased.
The hacking seems to be within co info [Target etc] and how does a new card delete my info?
Am I making any sense?

boater07 wrote:Visa and MC seem to be issuing new chip cards. I understand the value of the new cards but am curious how my prior info with the issuer is erased.
The hacking seems to be within co info [Target etc] and how does a new card delete my info?
Am I making any sense?

The hacking at, for example, Target, compromised your name, physical address, phone number, email and debit or credit card number. The hackers still have the first four pieces of info, but Visa/MC change the one thing they can change, which is your card number.

MSchleicher wrote:The chip cards will deter thieves from copying information contained within the magnetic strip. This level of protection will not be the end all be all solution to data breaches and hacking.

Thank you. I think I get it. The magnetic strip had all the info. I was afraid that a new card alone with chip would still leave all my info somewhere.
ie a card application with personal info .

MSchleicher wrote:The chip cards will deter thieves from copying information contained within the magnetic strip. This level of protection will not be the end all be all solution to data breaches and hacking.

Thank you. I think I get it. The magnetic strip had all the info. I was afraid that a new card alone with chip would still leave all my info somewhere.
ie a card application with personal info .

Your information is in more places than the magnetic strip. Whatever you entered on an application is stored at the credit card issuer for however long their retention policy states. Certain information will be retained as long as you keep the account, as part of the account management information. Changing the card number does not delete the account, just how merchants can charge the account.

Also, if someone has a copy of your magnetic stripe, such as what has happened with the numerous breaches (not just Target), they'll still have that copy. They'll still know everything that was on the magnetic stripe of the old card. Reissuing the card does not destroy the copies. They just won't be able to make new charges against the account because the card number has been changed.

The chip-and-sig cards still have a magnetic stripe, so they are still clonable and hackable. The chip might make it easier to use outside the US. Chip and pin may be more secure in person. Does nothing for internet fraud. I am not understanding all the gnashing of teeth here over fraud. It doesn't cost the consumer anything. The banks have decided that the solution to fraud is pattern detection and the fraud losses are less than the cost of a hardware switch with limited benefits.

Every time (Home Depot issues) I think oh, I wish my bank would send a Chip card instead of one with a magnetic strip I remember that I have yet to visit a store that has a reader for chip cards:( Hopefully soon...

Chip cards (also known as EMV cards) contain a secret cryptographic key used in the data exchange with the terminal. The technology is the same as used in cellphone SIM cards. Where a simple magnetic strip card can be duplicated by simply reading and reproducing the magnetic stripe information, duplicating a chip card means getting the secret key out of the card. That is hard.

In our area Walmart has new card terminals that read the chips instead of the mag strips. My new Amex card has both, so if I swipe the strip in the conventional way at Walmart, the terminal will halt the transaction and direct me to insert the card into the chip reader. Once it's inserted, the reader instructs me to not remove the card until the transaction is complete.

runner9 wrote:Every time (Home Depot issues) I think oh, I wish my bank would send a Chip card instead of one with a magnetic strip I remember that I have yet to visit a store that has a reader for chip cards:( Hopefully soon...

I'm just back from a road trip to Atlantic Canada (NB and PEI). With the exception of a few gasoline pump CC terminals, all of the credit card terminals I encountered at restaurants and stores were chip-card functional: insert the chip-card in the slot at the bottom or slide the magstripe card in the groove at the right.
It should be only a matter of years before the US catches up with Canada, I'm guessing...

If the maliciousness software is inserted into the POS terminal (as at Target) then it can read the pin as you're entering it. It gets the account number as it gets sent to the central system for processing by the credit card issuer for validation and processing.

Steelersfan wrote:If the maliciousness software is inserted into the POS terminal (as at Target) then it can read the pin as you're entering it. It gets the account number as it gets sent to the central system for processing by the credit card issuer for validation and processing.

Chip and pin is an improvement but doesn't cover all bases.

There have been a couple of articles out about how the FLIR cases for the iPhone and Android can allow people to find out your PIN

runner9 wrote:Every time (Home Depot issues) I think oh, I wish my bank would send a Chip card instead of one with a magnetic strip I remember that I have yet to visit a store that has a reader for chip cards:( Hopefully soon...

Walmart has them and they are enabled. It even forced me to use the chip the last two visits. Target, Lowes, and several other big box stores also has chip-capable readers (you can see the slot at the bottom of the point-of-sale device), but they are not enabled yet.

runner9 wrote:Every time (Home Depot issues) I think oh, I wish my bank would send a Chip card instead of one with a magnetic strip I remember that I have yet to visit a store that has a reader for chip cards:( Hopefully soon...

Walmart has them and they are enabled. It even forced me to use the chip the last two visits. Target, Lowes, and several other big box stores also has chip-capable readers (you can see the slot at the bottom of the point-of-sale device), but they are not enabled yet.

They should become much more widespread over the next year. October 1, 2015 is the date of the "liablity shift" for all major US credit card issuers.

It seems now like there is agreement on the switch. So when will the changeover happen?

For Mastercard, now is the time, and we’ve been very consistent on that message for years. We introduced our roadmap for migration in 2012, and that roadmap says that for face-to-face transactions, where a consumer uses their card at a merchant’s location, the liability shift will happen in October, 2015.

The “liability shift” is a big moment in the changeover. Can you explain what it means?

Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs. When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability.

So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.

The key point of a liability shift is not actually to shift liability around the market. It’s to create co-ordination in the market, so you have issuers and merchants investing in the migration at the same time. This way, we’re not shifting fraud around within the system; we’re driving fraud out of the system.

boater07 wrote:Visa and MC seem to be issuing new chip cards. I understand the value of the new cards but am curious how my prior info with the issuer is erased.

Chase sent me a replacement card that was chip and signature and it has a completely different card number (and switched from MC to Visa) although all the account stuff history and such stays the same.

I have a Citi card with chip and mag stripe. All stores that I shop in accept a swipe of the card. All except Sam’s Club (owned by Walmart). Their terminal rejects my card if I swipe it. It forces me to insert the card at the base of the reader. It then takes about 20 seconds to complete the transaction, at which time it say to remove card. The chip technology is a step in the right direction, but it is adding too much time to each purchase.

The Chip-and-pin is part of the EMV migration that banks and retailers are arguing over. In the USA, the norm is that all card readers will have both the chip and mag-stripe, giving the consumers time to get used to the chip-based transactions. You need a PIN to use the chip, or a signature (chip and signature). The issue is the cost of the new point of sale devices which retailers have to spend on to upgrade to read the new chip-based cards.

WRT security, chip based cards are more secure as each transaction comes with a different code, which cannot be replicated by card skimmers. Mag strip still carries that risk, as they lack the secure chip to generate new codes. Although information on the cards themselves are "safe", the same cannot be said of the transmission lines and networks that carry this information to the processors and acquirers. To address the gap here, companies are implementing new tokenization methods to bolster security of transmitted information.

Hope this helps - please let me know if you need more information as I do this everyday as part of my job

Steelersfan wrote:If the maliciousness software is inserted into the POS terminal (as at Target) then it can read the pin as you're entering it. It gets the account number as it gets sent to the central system for processing by the credit card issuer for validation and processing.

Chip and pin is an improvement but doesn't cover all bases.

Yes, but this infomation can't be used at other chip and pin terminals. Simply put, the chip can't be duplicated except (we hope) by truly sophisticated parties with a laboratory and lots of time.

The information can be used online, but it's protected by that little verification code that machines don't read. Which is not much, but together with fraud detection it should work reasonably well. It can also be used in magstripe terminals while they still exist, so part of the process is getting rid of those.

Essentially, a simple way to think of this (it is not how it technically works, but close enough to grasp what's happening) is that the chip provides the equivalent to the three digit code on the back of the card (or four on the front for AmEx). The clincher is that the "code" changes every single time. There is no reasonable method to replicate this data and simply "recording" and "replaying" the answer does NOT work, so a compromised terminal copying the code gains nothing.

Now, this does nothing for online transactions or other "card not present" (CNP) transactions. Thus, if a chip and PIN terminal gets compromised, the card # is available to be run elsewhere as a CNP. Another negative is us humans tend to reuse PINs. So if the compromised terminal stores your PIN, it can be reused in a different attack. This one is actually less of an issue b/c it is relevant in a targetted attack (I want to get you specifically instead of "all cards" at the terminal), or when a chip and PIN debit card is used at the compromised terminal. Since that PIN is only useful if I reused it for like my ATM card or something, the criminal would have to get that card cloned too. To counteract this, some banks do NOT let you use the same PIN for the chip on an EMV card as your "cash withdrawal" PIN, in case you use a debit card with a chip in a compromised terminal.

But anyways, it is simple to think of this as a "one-time use" 3-digit code like the reusable 3-digit code on the back of your card.

Steelersfan wrote:If the maliciousness software is inserted into the POS terminal (as at Target) then it can read the pin as you're entering it. It gets the account number as it gets sent to the central system for processing by the credit card issuer for validation and processing.

Chip and pin is an improvement but doesn't cover all bases.

Yes, but this infomation can't be used at other chip and pin terminals. Simply put, the chip can't be duplicated except (we hope) by truly sophisticated parties with a laboratory and lots of time.

The information can be used online, but it's protected by that little verification code that machines don't read. Which is not much, but together with fraud detection it should work reasonably well. It can also be used in magstripe terminals while they still exist, so part of the process is getting rid of those.

Agree with all that.

I do a fair amount of online shopping and I'm surprised how many sites do not require that three digit code when "checking out".